File name:

CrackedDefault.exe

Full analysis: https://app.any.run/tasks/36cfee6d-ea8d-4f5d-aa7d-add412777d91
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 18:46:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
asyncrat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

EE3FA50B70D2796EF1E27F5ECE10EDBF

SHA1:

B41FE73491B0A2C2AE2059DA96A523C3F5B587AE

SHA256:

EE497CAF223652C226571906EA5623D4A51DDC303D3E1D59443B8DA17B7D29DA

SSDEEP:

1536:XpSSEuJCmcvChXQ8KKaslxKtNQzzxH1bi/SBs6LVclN:XpSSEuJCmcvZ8KKaslxKt8H1biq9BY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • CrackedDefault.exe (PID: 7392)

    • ASYNCRAT has been detected (YARA)

      • System.exe (PID: 7524)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • CrackedDefault.exe (PID: 7392)

    • Executable content was dropped or overwritten

      • CrackedDefault.exe (PID: 7392)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 7428)

    • Executing commands from a ".bat" file

      • CrackedDefault.exe (PID: 7392)

    • Starts CMD.EXE for commands execution

      • CrackedDefault.exe (PID: 7392)

    • Potential Corporate Privacy Violation

      • System.exe (PID: 7524)

    • Connects to unusual port

      • System.exe (PID: 7524)

    • The executable file from the user directory is run by the CMD process

      • System.exe (PID: 7524)

  • INFO

    • Creates files or folders in the user directory

      • CrackedDefault.exe (PID: 7392)

    • Reads Environment values

      • CrackedDefault.exe (PID: 7392)
      • System.exe (PID: 7524)

    • Reads the machine GUID from the registry

      • CrackedDefault.exe (PID: 7392)
      • System.exe (PID: 7524)

    • Create files in a temporary directory

      • CrackedDefault.exe (PID: 7392)

    • Reads the computer name

      • CrackedDefault.exe (PID: 7392)
      • System.exe (PID: 7524)

    • Checks supported languages

      • CrackedDefault.exe (PID: 7392)
      • System.exe (PID: 7524)

    • Reads the software policy settings

      • System.exe (PID: 7524)
      • slui.exe (PID: 7828)

    • Checks proxy server information

      • slui.exe (PID: 7828)
      • System.exe (PID: 7524)

    • Disables trace logs

      • System.exe (PID: 7524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(7524) System.exe
C2 (1)null
Ports (1)null
VersionVenom RAT + HVNC + Stealer + Grabber v6.0.3
Options
AutoRuntrue
Mutexqmcwkkwaroj
InstallFolder%AppData%
Certificates
Cert1MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcN...
Server_SignatureOkymo4TmvsQnA2wvcqraREPTHhd39nloUHidyXQ1FjWo1MF8jRLaCLE4nozC3Pe/XqcfUZoPH+UzATU5PC4/F/ZApAyRcgQDZqttHzAi4B+xEUz7iPN6/5YaH9pAA/LbVFO9w4p1eJ/C7zAUtRsKlU+l75O3f9MNgQPUXYKtUp8=
Keys
AES316d4bd86573c9f6d1d2682bbc13b525705621070eb74716ededf78792bd51ed
SaltVenomRATByVenom
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:08 22:10:28+00:00
ImageFileCharacteristics: Executable
PEType: PE32
LinkerVersion: 8
CodeSize: 71168
InitializedDataSize: 4096
UninitializedDataSize: -
EntryPoint: 0x1347e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.0.1.0
ProductVersionNumber: 6.0.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: -
FileVersion: 6.0.1
InternalName: ClientAny.exe
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: ClientAny.exe
ProductName: -
ProductVersion: 6.0.1
AssemblyVersion: 6.0.1.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start crackeddefault.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs #ASYNCRAT system.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7392"C:\Users\admin\Desktop\CrackedDefault.exe" C:\Users\admin\Desktop\CrackedDefault.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.0.1
Modules
Images
c:\users\admin\desktop\crackeddefault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
7428C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\tmpCDF0.tmp.bat""C:\Windows\System32\cmd.exeCrackedDefault.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
7452\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7500timeout 3 C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7524"C:\Users\admin\AppData\Roaming\System.exe" C:\Users\admin\AppData\Roaming\System.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Version:
6.0.1
Modules
Images
c:\users\admin\appdata\roaming\system.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
AsyncRat
(PID) Process(7524) System.exe
C2 (1)null
Ports (1)null
VersionVenom RAT + HVNC + Stealer + Grabber v6.0.3
Options
AutoRuntrue
Mutexqmcwkkwaroj
InstallFolder%AppData%
Certificates
Cert1MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcN...
Server_SignatureOkymo4TmvsQnA2wvcqraREPTHhd39nloUHidyXQ1FjWo1MF8jRLaCLE4nozC3Pe/XqcfUZoPH+UzATU5PC4/F/ZApAyRcgQDZqttHzAi4B+xEUz7iPN6/5YaH9pAA/LbVFO9w4p1eJ/C7zAUtRsKlU+l75O3f9MNgQPUXYKtUp8=
Keys
AES316d4bd86573c9f6d1d2682bbc13b525705621070eb74716ededf78792bd51ed
SaltVenomRATByVenom
7828C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
7 092
Read events
7 077
Write events
15
Delete events
0

Modification events

(PID) Process:(7392) CrackedDefault.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:System
Value:
"C:\Users\admin\AppData\Roaming\System.exe"
(PID) Process:(7524) System.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\System_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7524) System.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\System_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7524) System.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\System_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7524) System.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\System_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7524) System.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\System_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7524) System.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\System_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7524) System.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\System_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7524) System.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\System_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7524) System.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\System_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7392CrackedDefault.exeC:\Users\admin\AppData\Roaming\MyData\DataLogs.conftext
MD5:CF759E4C5F14FE3EEC41B87ED756CEA8
SHA256:C9F9F193409217F73CC976AD078C6F8BF65D3AABCF5FAD3E5A47536D47AA6761
7392CrackedDefault.exeC:\Users\admin\AppData\Local\Temp\tmpCDF0.tmp.battext
MD5:19494084E4876CF1FCB5B50B5EA3C2C6
SHA256:9D3BB2F25559BD67B70D3EF3A4B5999EE521E9F4F8803B128B4BFC98F9CCEB96
7392CrackedDefault.exeC:\Users\admin\AppData\Roaming\System.exeexecutable
MD5:EE3FA50B70D2796EF1E27F5ECE10EDBF
SHA256:EE497CAF223652C226571906EA5623D4A51DDC303D3E1D59443B8DA17B7D29DA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
44
TCP/UDP connections
62
DNS requests
7
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.186.113.60:443
https://paste.ee/r/oBfRfDEZ/0
unknown
GET
200
23.186.113.60:443
https://paste.ee/r/oBfRfDEZ/0
unknown
GET
200
23.186.113.60:443
https://paste.ee/r/oBfRfDEZ/0
unknown
GET
200
23.186.113.60:443
https://paste.ee/r/oBfRfDEZ/0
unknown
GET
200
23.186.113.60:443
https://paste.ee/r/oBfRfDEZ/0
unknown
text
26 b
shared
GET
200
23.186.113.60:443
https://paste.ee/r/oBfRfDEZ/0
unknown
text
26 b
shared
GET
200
23.186.113.60:443
https://paste.ee/r/oBfRfDEZ/0
unknown
text
26 b
shared
GET
200
23.186.113.60:443
https://paste.ee/r/oBfRfDEZ/0
unknown
text
26 b
shared
GET
200
23.186.113.60:443
https://paste.ee/r/oBfRfDEZ/0
unknown
text
26 b
shared
GET
200
23.186.113.60:443
https://paste.ee/r/oBfRfDEZ/0
unknown
text
26 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
unknown
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
unknown
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
7524
System.exe
23.186.113.60:443
paste.ee
unknown
7524
System.exe
158.178.201.63:1523
yk5yfe0zi.localto.net
GB
unknown
7216
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
7828
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.104.136.2
unknown
google.com
  • 216.58.206.78
unknown
paste.ee
  • 23.186.113.60
unknown
yk5yfe0zi.localto.net
  • 158.178.201.63
unknown
activation-v2.sls.microsoft.com
  • 20.83.72.98
unknown

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
7524
System.exe
Potential Corporate Privacy Violation
ET INFO Pastebin-style Service (paste .ee) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CrackedDefault.exe